---
kind: Service
apiVersion: v1
metadata:
  name: gatekeeper
spec:
  ports:
    - port: 80
      targetPort: 3000
  selector:
    k8s-app: gatekeeper

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: gatekeeper
  labels:
    k8s-app: gatekeeper
  annotations:
    reloader.stakater.com/auto: "true"
    configmap.reloader.stakater.com/reload: "gatekeeper-config"
spec:
  replicas: 2
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      k8s-app: gatekeeper
  template:
    metadata:
      labels:
        k8s-app: gatekeeper
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/path: "/oauth/metrics"
        prometheus.io/port: "4000"
    spec:
      initContainers:
        - name: prepare
          # image: busybox:1.34.1
          image: bigkaa/m_busybox:3.14.2
          imagePullPolicy: "IfNotPresent"
          envFrom:
          - secretRef:
              name: gatekeeper
          command:
            - sh
            - -c
            - |
              #sed -e "s/\$CLIENT_ID/$(echo $CLIENT_ID)/" \
              #    -e "s/\$CLIENT_SECRET/$(echo $CLIENT_SECRET)/" \
              #    -e "s/\$ENCRYPTION_KEY/$(echo $ENCRYPTION_KEY)/" \
              #    /mnt-template/config.yaml > /mnt/config.yaml
              envsubst < /mnt-template/config.yaml > /mnt/config.yaml
              # cat /mnt/config.yaml
              echo "Done"
          volumeMounts:
          - name: config
            mountPath: /mnt
          - name: config-template
            mountPath: /mnt-template
      containers:
        - name: gatekeeper
          image: 'quay.io/gogatekeeper/gatekeeper:1.3.5'
          imagePullPolicy: IfNotPresent
          args:
            - '--config'
            - /etc/gatekeeper/config.yaml
          ports:
            - name: proxy
              containerPort: 3000
              protocol: TCP
            - name: admin
              containerPort: 4000
              protocol: TCP
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 128Mi
          volumeMounts:
          - name: config
            mountPath: /etc/gatekeeper/
          livenessProbe:
            httpGet:
              path: /oauth/health
              port: admin
              scheme: HTTP
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /oauth/health
              port: admin
              scheme: HTTP
            timeoutSeconds: 1
            periodSeconds: 10
            successThreshold: 1
            failureThreshold: 3
          securityContext:
            capabilities:
              drop:
                - ALL
            runAsNonRoot: true
            readOnlyRootFilesystem: true
      volumes:
        - name: config
          emptyDir:
            medium: Memory
        - name: config-template
          configMap:
            name: gatekeeper-config

